Get documents about "e-ID and identity management aspects in the Belgian soci
Document Sample
e-ID and identity management aspects
in the Belgian social sector
Frank Robben
General Manager Crossroads Bank for Social Security
General Manager SmalS-MvM
Sint-Pieterssteenweg 375
B-1040 Brussels
E-mail: Frank.Robben@ksz.fgov.be
CBSS website : www.ksz.fgov.be
Personal website: www.law.kuleuven.ac.be/icri/frobben
Structure of the presentation
• actual environment
• electronic user and access management
– eID: functions and additional needs
– policy enforcement model
• SIS card and eID
• transnational aspects
– needs: some use cases
– proposal of concrete objectives
2
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
Actual environment
• a network between all 2,000 social sector actors with a
secure connection to the internet and other public (e.g.
FedMAN) and private (e.g. Isabel) networks
• a unique identification key
– for every citizen, electronically readable from an electronic social
security card (SIS card) and an electronic identity card (eID)
– for every company
• a task sharing between actors in the social sector and
other sectors with regard to information management
and information storage in authentic sources
3
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
Actual environment
• 185 electronic services for mutual information exchange
amongst all actors in the social sector, defined after
process optimization
– nearly all direct or indirect (via citizens or companies) paper-
based information exchange between actors in the social sector
has been abolished
– in 2005 half a billion electronic messages were exchanged
amongst actors in the social sector, which saved as many paper
exchanges
• an integrated portal site containing
– electronic transactions for employers and citizens
– information about the entire Belgian social security system
– harmonized instructions and information model with regard to all
electronic transactions
– a personal page for each company
4
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
Actual environment
• 36 electronic services for employers, either based on the
electronic exchange of structured messages between
software applications of the employers and software
applications of actors in the social sector, or via the
integrated portal site
– 50 social security declaration forms have been abolished
– in the remaining 30 declaration forms the number of headings
has on average been reduced to a third of the previous number
– declarations are limited to 3 events
• immediate declaration of recruitment and discharge (only
electronically)
• quarterly declaration of salary and working times (only
electronically)
• 21 types of declarations of social risks (electronically or on paper)
– in 2005 15,7 million electronic declarations were made by all
220,000 employers, 98 % of which from application to
application
5
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
Actual environment
• 4 electronic services for citizens via the integrated portal
– 2 services to apply for social benefits
– 2 services for consultation of social benefits
– about 30 new services are foreseen
• an integrated multimodal contact centre supported by a
customer relationship management tool
• an integrated e-workspace for professionals involved in
the social sector with
– e-teams
– workflow throughout social sector actors (e.g. e-Leg)
• a datawarehouse with integrated information for
research and policy support, and policy evaluation
6
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
Actual environment
• coordination by the Crossroads Bank for Social Security
– definition of the vision and the strategy on E-government in the
social sector and of the common principles related to information
management
– definition, implementation and management of an interoperability
framework
– secure messaging of several types of information (structured
data, documents, images, metadata, …) with business logic and
orchestration support
– coordination of business process reengineering
– stimulation of service oriented applications
– management of a reference directory for
• preventive control on the legitimacy of the information exchange
• organisation of the routing of information
• automatic communication of changes of information
7
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
Actual environment
• reference directory
– directory of available services/information
• which information/services are available at any institution depending
on the capacity in which a person/company is registered at each
institution
– directory of authorisation policies
• which users/applications are authorized to access which
information/services depending on the capacity in which a
person/company is registered at each institution
– directory of data subjects
• which persons/companies have personal files in which institutions
for which periods of time, and in which capacity they are registered
– subscription table
• which users/applications want to automatically receive what
services in which situations for which persons/companies in which
capacity
8
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
Electronic user & access management
• eID
– electronic identification and authentication of the identity of
physical persons over the age of 12 who are registered in the
Belgian population registers
– electronic signature of these persons
• additional needs
– electronic identification and authentication of the identity of
physical persons under the age of 12 or who are not registered
in the Belgian population registers
– authentication of characteristics (e.g. a capacity, a function, a
professional qualification)
– authentication of mandates between a legal or physical person
to whom an electronic transaction relates and the person
carrying out that transaction
– authorisation management
– towards an eID based on biometrics ?
9
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
Policy Enforcement Model
Action
on
application Action
DENIED Policy on
application
User Enforcement PERMITTED Application
Action (PEP )
on
application Decision Decision
request reply
Information
request/
Policy Policy Decision reply
retrieval
(PDP)
Information
request/
reply
Policy
management Policy Administration Policy Information Policy Information
( PAP) (PIP) (PIP)
Manager
Policy
repository
Authentic source Authentic source
10
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
Policy Enforcement Point (PEP)
• intercepts the request for authorisation with all available
information about the user, the action being requested,
the resources and the environment
• passes on the request for authorisation to the Policy
Decision Point (PDP) and extracts a decision regarding
authorisation
• grants access to the application and provides relevant
credentials
Action
on
application Action
DENIED Policy on
application
User Enforcement PERMITTED Application
Action (PEP )
on
application Decision Decision
request reply
Policy Decision
(PDP)
11
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
Policy Decision Point (PDP)
• based on the request for authorisation received,
retrieves the appropriate authorisation policy from the
Policy Administration Point(s) (PAP)
• evaluates the policy and, if necessary, retrieves the
relevant information from the Policy Information Point(s)
(PIP)
• takes the authorisation decision (permit/deny/not
applicable) and sends it to the PEP
Policy
Enforcement
(PEP )
Decision Decision
request reply
Information
Policy request/
retrieval Policy Decision reply
(PDP)
Information
request/
reply
Policy Administration Policy Information Policy Information
( PAP) (PIP) (PIP)
12
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
Policy Administration Point (PAP)
• environment to store and manage authorisation policies
by authorised person(s) appointed by the application
managers
• puts authorisation policies at the disposal of the PDP
Policy Policy
management retrieval
PAP PDP
Manager
Policy
repository
13
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
Policy Information Point (PIP)
• puts information at the
disposal of the PDP in
order to evaluate Information
request/
reply
authorisation policies PDP
(authentic sources with Information
request/
characteristics, reply
mandates, etc.) PIP 1 PIP 2
Authentic source Authentic source
14
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
eID and social security portal
• all end-user applications are divided into categories
based on the required level of security
– all applications can be used with the eID as a means of
electronic identification and authentication of identity
– some applications can also be used (temporarily) on the basis of
a user-id, password and, where appropriate, a citizen token or a
public servant token
• electronic signatures can be put with the eID
• the policy enforcement model is being implemented for
the authentication of characteristics and mandates and
for authorisation management
15
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
SIS card and eID
• gradual replacement of the functions of the SIS card
once the following conditions have been fulfilled
– function of electronic identification: overall availability of the eID
– function of proof of the insurability in the health care sector
• secure on line access by the health care providers to the insurability
information available at the sickness funds
• electronic identification and authentication of the identity,
characteristics and mandates of the health care providers
• preservation of the SIS card or a similar solution for
persons who do not possess an eID (persons not
residing in Belgium, children under the age of 12, etc.)
• availability of readers that can read both the SIS-card
and the eID
16
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
Transnational aspects
• need to be able to electonically
– identify and authenticate the identity of all relevant entities
(physical persons, companies, …)
– authenticate the relevant characteristics of the entities
– authenticate that an entity has been mandated by another entity
to perform a legal action
• need to implement the objective and related actions from
the interministerial statement about E-government in the
EU issued on 24th November 2005
17
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
Interministerial statement
“By 2010 European citizens and business shall be able to
benefit from secure means of electronic identification that
maximise user convenience while respecting data
protection regulations. Such means shall be made
available under the responsibility of the Member States, but
recognised across the EU.”
18
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
Interministerial statement: actions
• “Member States will, during 2006, agree a process and
roadmap for achieving the electronic identity objectives
and address the national and European legal barriers to
the achievement of the electronic identity objectives;
work in this area is essential for public administrations to
deliver personalised electronic services with no
ambiguity as to the user’s identity.”
• “Member States will, over the period 2006-2010, work
towards the mutual recognition of national electronic
identities by testing, piloting and implementing suitable
technologies and methods.”
19
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
Some use cases
• individual residing in Member State A is temporarily
employed (posted) in Member State B
– the employer or his representative has to ask for authorization
from the competent social security institution of Member State A
– the competent social security institution of Member State A
(electronically) sends an E101-form to the competent social
security institution of Member State B
=> need for (interrelated) identification of the employer,
his representative and the employee in both Member
States, need for authentication of the characteristic
"employer" and need for authentication of the mandate
of the representative
20
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
Some use cases
• individual residing in Member State A works, studies or
looks for work in Member State B => need for
(interrelated) identification of the individual in both
Member States
• individual residing in Member State A simultaneously
works in various other Member States => need for
(interrelated) identification of the individual in all Member
States
• individual residing in Member State A needs health care
in member State B (form E111, (e)EHIC) => need for
(interrelated) identification of the individual in both
Member States
21
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
Some use cases
• individual residing in Member State A has to exchange
(in an electronic way) data with public authorities in
Member State B => need for (interrelated) identification
of the individual in both Member States
• employer or his representative residing in Member State
A has to exchange (in an electronic way) data about his
employees with public authorities in Member State B =>
need for (interrelated) identification in both Member
States of the employer, his representative and the
employees, need for authentication of the characteristic
of "employer" and need for authentication of the
mandate of the representative
22
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
Identify user benefits, Wide User awareness and
awareness, promotion awareness
formulate vision campaign acceptance
Use Cases
(eProcurement,,
migrant workers)
Testbeds / pilots, e.g. in CIP
e-procurement, health info networks
Validation and
eTEN, IDABC CEC key applications
testbeds as ‘lead user’
specifications Semantic
IST R&D for
federated, multi-level, Common
European
Federated eID
secure eIDM eIDM
Framework
Management Organisational inter-
CEN eIDM
standardisation
IDABC business Technical operability
attestations study
link to ECC
IDABC e-sign
studies
eID management at
eIDM
at level
nationalnational level
Explain role
of e-sign
Authentication EU provisions:
Directive
Model &
Equal Treatment of
national eIDs
Recognition of Legal certainty
Levels national eIDs
Modinis study
eID
Terminology &
Definition of eID Role
Personal Data
Ownership
Common principles,
eID Management
Objectives Model minimal norms
2006 2007 2008 2009 2010
country inputs
Authentication
Network and IT
levels overview
(ENISA)
security
Proposal of concrete objectives
• internationally, authentication levels are established in
relation to identity, characteristics and mandates
• each country has registration procedures for establishing
the identity of individuals residing in their own country,
according to the internationally established
authentication levels
• each country has registration procedures for establishing
the identity of legal entities and actual associations that
are established in their own country, according to the
internationally established authentication levels
24
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
Proposal of concrete objectives
• each country makes available to each individual, each
legal entity and each actual association for whom/which
the identity is established in accordance with the
registration procedures, the means by which the
concerned entity can produce and prove its identity
(whether or not in a particular context) locally or
remotely, verbally, visually and electronically on the
territory of the country in question, without that entity’s
identity being confused with the identity of another
individual person, legal entity or actual association in that
country
25
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
Proposal of concrete objectives
• each country has registration procedures for establishing
the type of characteristics indicated by an internationally
accredited body, according to the internationally
established authentication levels
• each country has registration procedures for establishing
the mandate of an individual to represent a legal entity or
actual association, and the other types of mandates that
are indicated by an internationally accredited body,
according to the internationally established
authentication levels
26
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
Proposal of concrete objectives
• each country has the necessary systems to produce and
prove the characteristics and mandates of individuals,
legal entities and actual associations that have been
established according to the registration procedures
(whether or not in a particular context), locally or
remotely, verbally, visually and electronically on the
territory of the country in question, either with the
permission of the concerned entity or in accordance with
a statutory or legal provision
27
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
Proposal of concrete objectives
• under the coordination of the European Commission, the
Member States of the EU develop EU standards and
specifications to ensure the semantic and technical
interoperability of resources for producing and proving
electronically the identity, characteristics and mandates
through or in relation to individuals, legal entities and
actual associations on the territory of other Member
States
28
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
More information
• social security portal
www.socialsecurity.be
• website Crossroads Bank for Social Security
www.ksz.fgov.be
• personal website of the speaker
www.law.kuleuven.ac.be/icri/frobben
29
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 2006
